Professional Documents
Culture Documents
DOE Fundamentals Handbook Chemical Process Hazards Analysis PDF
DOE Fundamentals Handbook Chemical Process Hazards Analysis PDF
ENGLISH
DOE-HDBK-1100-96
February 1996
DOE HANDBOOK
CHEMICAL PROCESS HAZARDS ANALYSIS
AREA SAFT
This document has been reproduced directly from the best available copy.
Available to DOE and DOE contractors from the Office of Scientific and
Technical Information, P.O. Box 62, Oak Ridge, TN 37831; (423) 576-8401.
Available to the public from the U.S. Department of Commerce, Technology
Administration, National Technical Information Service, Springfield, VA 22161;
(703) 487-4650.
Order No. DE96006557
DOE-HDBK-1100-96
FOREWORD
The Office of Worker Health and Safety (EH-5) under the Assistant Secretary for the
Environment, Safety and Health of the U.S. Department of Energy (DOE) has published two
handbooks for use by DOE contractors managing facilities and processes covered by the
Occupational Safety and Health Administration (OSHA) Rule for Process Safety Management
of Highly Hazardous Chemicals (29 CFR 1910.119), herein referred to as the PSM Rule. The
PSM Rule contains an integrated set of chemical process safety management elements
designed to prevent chemical releases that can lead to catastrophic fires, explosions, or toxic
exposures. The purpose of the two handbooks, "Process Safety Management for Highly
Hazardous Chemicals" and "Chemical Process Hazards Analysis," is to facilitate
implementation of the provisions of the PSM Rule within the DOE.
The purpose of this handbook is to facilitate, within the DOE, the performance of chemical
process hazards analyses (PrHAs) as required under the PSM Rule. It provides basic
information for the performance of PrHAs, and should not be considered a complete resource
on PrHA methods. Likewise, to determine if a facility is covered by the PSM rule, the reader
should refer to the handbook, "Process Safety Management for Highly Hazardous Chemicals"
(DOE-HDBK-1101-96).
Promulgation of the PSM Rule has heightened the awareness of chemical safety management
issues whithin the DOE. This handbook is intended for use by DOE facilities and processes
covered by the PSM rule to facilitate contractor implementation of the PrHA element of the
PSM Rule. However, contractors whose facilities and processes not covered by the PSM
Rule may also use this handbook as a basis for conducting process hazards analyses as part of
their good management practices.
This handbook explains the minimum requirements for PrHAs outlined in the PSM Rule.
Nowhere have requirements been added beyond what is specifically required by the rule.
iii
DOE-HDBK-1100-96
ACKNOWLEDGEMENTS
The U.S. Department of Energy (DOE) wishes to thank all persons who commented on this
handbook for their help in clarifying and focusing this guidance. Ms. Pamela Sutherland of
Battelle-Columbus managed the preparation of this handbook by Battelle Memorial Institute
staff in Columbus and at Pacific Northwest Laboratories (PNL).
iv
DOE-HDBK-1100-96
TAB LE OF CONTENTS
Page
FOREWORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
ACKNOWLEDGEMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv
LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
ACRONYMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.0 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
3
4
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.. 7
.. 7
. 11
. 22
EXAMPLES
..........
..........
..........
..........
..........
..........
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
23
23
30
36
44
52
59
67
67
69
73
73
73
74
WITH
.....
.....
.....
.....
.....
.....
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
DOE-HDBK-1100-96
.
.
.
.
.
75
75
75
75
76
77
9.0 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
79
vi
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
DOE-HDBK-1100-96
Page
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
vii
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
13
18
19
21
27
28
29
29
31
32
35
35
37
39
41
42
43
45
46
48
49
50
51
55
56
57
58
60
63
64
70
75
DOE-HDBK-1100-96
LIST OF FIGURES
Page
Figure
Figure
Figure
Figure
Figure
Figure
Figure
3.1.
3.2.
3.3.
4.1.
4.2.
4.3.
4.4.
viii
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.. 8
. 15
. 16
. 24
. 25
. 65
. 66
DOE-HDBK-1100-96
ACRONYMS
ANSI
API
ASME
ASTM
CCPS
CSO
DOE
DOT
ERPG
EVC
FTAP
FMEA
HAZOP
HHC
IDLH
IRRAS
IEEE
ISA
JHA
LFL
M&O
MCS
MOC
MSDS
NFPA
ORC
ORR
OSHA
P&ID
PEL
PHA
PrHA
PSI
PSM
PSR
SAR
SHI
SOP
TLV
TQ
UFL
ix
DOE-HDBK-1100-96
GLOSSARY
The total amount of a hazardous chemical contained in vessels that are interconnected,
or contained in a process and nearby unconnected vessels, that may be adversely
affected by an event at that process.
Catastrophic Release
A gas that, at ambient temperature and pressure, forms a flammable mixture with air at
a concentration of 13 percent by volume or less; or a gas that, at ambient temperature
and pressure, forms a range of flammable mixtures with air wider than 13 percent by
volume, regardless of the lower limit.
DOE-HDBK-1100-96
Flammable Liquid
Liquid with a flash point below 100 deg F (37.80C), except mixtures where such
liquids account for 1 percent or less of the total volume.
Hazard
A chemical property, energy source, or physical condition that has the potential to cause
illness, injury, or death to personnel, or damage to property or to the environment,
without regard for the likelihood or credibility of potential accidents or the mitigation of
consequences.
Highly Hazardous Chemical
An unplanned event that may or may not result in injuries and/or loss.
Near Miss
An event that did not result in an accidental release of a highly hazardous chemical, but
which could have, given another "failure." Near misses, sometimes called "precursors,"
include:
the determination that a protection system was out of service such that if an
initiating event had occurred, a release of a highly hazardous chemical would
have taken place.
A facility that is operated, maintained, or serviced by workers who visit the facility
only periodically to check its operation and to perform necessary operating or
maintenance tasks. No workers are regularly or permanently stationed at the facility.
Such facilities are not contiguous with, and must be geographically remote from, all
other buildings, processes, or persons. If workers spend more than 1 hour at a facility
each day, that facility is not considered to be normally unoccupied.
xi
DOE-HDBK-1100-96
Probability
A ny onsite activity that involves a highly hazardous chemical, including any use,
storage, manufacturing, handling, or movement of a highly hazardous chemical, or
combination of these activities. Any interconnected group of vessels is considered a
single process. Vessels with no physical interconnections located such that an accident
in one vessel could spread to adjacent vessels are considered a single process.
Process Hazard
An inherent chemical or physical characteristic with the energy potential for damaging
people, property, and/or the environment.
Process Hazards Analysis (PrHA)
The application of one or more analytical methods to identify and evaluate process
hazards for the purpose of determining the adequacy of or need for control measures.
Process Safety Management
The Occupational Safety and Health Administration's rule "Process Safety Management
of Highly Hazardous Chemicals," 29 CFR 1910.119.
Risk
The quantitative or qualitative expression of possible loss that considers both the
probability that a hazard will result in an adverse event and the consequences of that
event.
Threshold Quantity
xii
DOE-HDBK-1100-96
1.0 INTRODUCTION
On February 24, 1992, the Occupational Safety and Health Administration (OSHA) released a
revised 29 CFR Part 1910 that added Section 1910.119, "Process Safety Management of
Highly Hazardous Chemicals; Explosives and Blasting Agents," to protect employees by
preventing or minimizing the consequences of chemical accidents. This regulation, hereafter
referred to as the PSM Rule, prescribes a total safety management program with 14 defined
elements. Guidance for implementing the PSM Rule is provided in "Process Safety
Management for Highly Hazardous Chemicals" (DOE-HDBK-1074-96).
One of the most important elements of the PSM Rule is the process hazard analysis (PrHA)*.
It requires the systematic identification of hazards and related accident scenarios. The PSM
Rule allows the use of different analysis methods, but the selected method must be based on
the process being analyzed. The PSM Rule specifies that PrHAs must be completed as soon
as possible within a 5-year period. However, one-fourth of the PrHAs must have been
completed by May 26, 1994, with an additional one-fourth completed each succeeding year.
The highest risk processes were to be done first. A schedule for PrHAs must be established
at the outset of a process safety management (PSM) program to give priority to the highest
risk processes. PrHAs must be reviewed and updated at least every 5 years.
This handbook should be considered basic information for the required PrHA element, not a
complete resource on PrHA methods. Summary descriptions and basic step-by-step
instructions are provided. However, existing references, which are identified in each section,
provide additional insight and should be used. The primary reference should be Guidelines
for Hazard Evaluation Procedures (CCPS, 1992). In addition, resources from relevant
professional organizations should be used on a continuing basis to maintain competence in
PrHA. These resources include books and publications, technical meetings, and continuing
education. Most DOE contractors probably do not now have staff knowledgeable** in PrHA.
Each DOE facility that stores or uses hazardous chemicals in above-threshold quantities will
have to develop the capability to complete PrHAs as required.
To those already familiar with hazard/risk analysis methods, a "PHA" designates a Preliminary Hazard
Analysis. Unfortunately, the PSM Rule uses these same letters to designate Process Hazard Analysis. In this
document, PrHA will designate Process Hazard Analysis to avoid confusion with Preliminary Hazard Analysis.
Note that other literature may be confusing on this issue.
OSHA uses this term to indicate that the PrHA leader must have competence in the selected PrHA method as
applied to process systems. However, OSHA has not formally defined "knowledgeable". A minimum
interpretation could include completion of a "hands-on" type workshop on the PrHA method chosen; experience
in an actual PrHA, led by another experienced PrHA leader, using the chosen method; and ability to effectively
lead a technical brain-storming type meeting.
DOE-HDBK-1100-96
DOE-HDBK-1100-96
Under the PSM Rule, the PrHA element requires the selection and application of appropriate
hazard analysis methods to systematically identify hazards and potential accident scenarios
associated with highly hazardous chemicals. The components of a PrHA are summarized and
explained below.
2.1
The PSM Rule requires that up-to-date process safety information exist before conducting a
PrHA, with the exception of technology information that can be created in conjunction with
the PrHA. Complete and accurate written information about process chemicals, technology,
and equipment is essential to the team that performs a PrHA. It is also needed by personnel
developing training programs and operating procedures, subcontractors whose employees work
with the process, teams conducting pre-startup reviews, and local emergency preparedness
planners.
2.1.1 Information About Highly Hazardous Process Chemicals
Information about the chemicals used in a process, as well as chemical intermediates, must be
comprehensive enough for an accurate assessment of fire and explosion characteristics,
reactivity hazards, safety and health hazards to workers, and corrosion and erosion effects on
process equipment and monitoring tools. Information must include, at a minimum:
(1) toxicity information; (2) permissible exposure limits; (3) physical data such as boiling
point, freezing point, liquid/vapor densities, vapor pressure, flash point, autoignition
temperature, flammability limits (LFL and UFL), solubility, appearance, and odor; (4)
reactivity data, including potential for ignition or explosion; (5) corrosivity data, including
effects on metals, building materials, and organic tissues; (6) identified incompatibilities and
dangerous contaminants; and (7) thermal data (heat of reaction, heat of combustion). Current
Material Safety Data Sheets (MSDSs) may be used to help meet this requirement. Where
applicable, process chemistry information should be included about potential runaway
reactions and overpressure hazards and hazards arising from the inadvertent mixing of
incompatible chemicals.
2.1.2 Information About Process Technology
Process technology information must include at least: (1) block flow diagrams or simplified
process flow diagrams such as the type shown in Figure 4.1; (2) process chemistry; (3) DOE
contractor-established criteria for maximum inventory levels for process chemicals;
(4) process limits that, when exceeded, are considered an upset condition; and (5) qualitative
estimates of the consequences of deviations that could occur if established process limits are
exceeded. If the original technology information is not available, it can be created in
conjunction with the PrHA.
DOE-HDBK-1100-96
Block flow diagrams may be used to show major process equipment and interconnecting
process flow lines, flow rates, stream composition, temperatures, and pressures. When
necessary for completeness, process flow diagrams should be used to show all main flow
streams including valves; pressures and temperatures on all feed and product lines within all
major vessels; and points of pressure and temperature control. Construction materials, pump
capacities, pressure heads, compressor horsepower, and vessel design pressures and
temperatures are shown when necessary for clarity. Major components of control loops are
usually shown along with key utilities. Piping and instrumentation diagrams (P&IDs), which
are required under process equipment information, may be more appropriate to show some of
these details.
2.1.3 Information About Process Equipment
A PrHA is an organized and systematic method to identify and analyze the significance of
potential hazards associated with processing or handling highly hazardous chemicals. A
PrHA helps employers and workers to make decisions for improving safety and reducing the
consequences of unwanted or unplanned releases of hazardous chemicals. It is used to
analyze potential causes and consequences of fires, explosions, releases of toxic or flammable
chemicals, and major spills of hazardous chemicals. It focuses on equipment, instrumentation,
utilities, routine and non-routine human actions, and external factors that might impact a
process.
The PSM Rule specifies that a PrHA be performed on every process covered under the rule.
If several processes require PrHAs, the PrHAs must be prioritized. A preliminary hazard
analysis (PHA) may be used to determine and document the priority order for conducting
PrHAs. At a minimum, the PSM Rule requires the prioritization to consider the potential
severity of a chemical release, the number of potentially affected employees, and the
operating history of the process, including the frequency of past chemical releases and the age
of the process.
DOE-HDBK-1100-96
2.2.1 Schedule
The schedule imposed by the PSM Rule allows for gradual completion of the required PrHAs.
However, the PrHAs must be conducted as soon as possible, and according to the following
schedule.
2.2.2 Scope
To help assure that all hazards are identified and evaluated, PrHAs must address the
following.
2.2.3 Team
PrHAs must be performed by a team. Teams can vary in size and in operational background,
but must have expertise in engineering and process operations. Individuals may be full-time
team members or may be part of a team for only a limited time. That is, team members may
be rotated according to their expertise in the part of the process being reviewed.
The team conducting a PrHA must understand the method being used. In addition, one
member of the team must be fully knowledgeable in the implementation of the PrHA
DOE-HDBK-1100-96
method.* The PSM Rule also requires that at least one team member be an "employee" with
experience and knowledge specific to the process being evaluated. Some organizations have
interpreted the term "employee" to mean an hourly employee such as a senior operator.
The ideal PrHA team has an intimate knowledge of the standards, codes, specifications, and
regulations applicable to the process. Team members must be compatible, and the team
leader must be able to manage the team and the study.
2.2.4 Findings and Recommendations
DOE contractors must retain PrHAs and updates for each process covered by the PSM Rule,
along with documented resolutions of recommendations, for the life of the process.
2.2.5 Acceptable Methodology
The PSM Rule specifies that DOE contractors use one or more of the following
methodologies, as appropriate, to determine and evaluate the hazards of the process being
analyzed:
What-If
Checklist
What-If/Checklist
Hazard and Operability Study
Failure Mode and Effects Analysis
Fault Tree Analysis
An appropriate equivalent methodology.
OSHA does not specify that the team leader be the member of the team who is knowledgeable in the
implementation of the PrHA method.
DOE-HDBK-1100-96
This section addresses topics common to all PrHA methods. A step-wise procedure for
conducting a PrHA according to PSM Rule requirements is presented, followed by
recommended approaches for analyzing scenarios, deciding on action items, and incorporating
facility siting and human factors into the PrHA.
3.1
Step-by-Step Procedure
This section describes 14 tasks required for compliance with the PSM Rule regardless of the
PrHA method selected. The sequence of these tasks is shown in Figure 3.1. This figure also
indicates where process safety information (PSI) requirements fit into PrHA tasks, and what
documents are generated as a result of each task. Concepts common to all PrHA methods are
also discussed.
To conduct an effective PrHA, both operating management and the PrHA team must
understand their respective responsibilities. In general, the tasks breakdown as follows:
TASK
RESPONSIB ILITY
A-F
G, H, I
J, K
Operating management
PrHA team
Operating management and PrHA team
If a chemical facility
contains more than one process covered by the PSM Rule, the rule requires that processes
posing the greatest risk to workers be analyzed first. A methodology for ranking is not
specified, but any method chosen must account for (1) the extent of the process hazards;
(2) the number of potentially affected employees; (3) the age of the process; and (4) the
operating history of the process. The following factors should be considered when selecting a
ranking methodology: ease of application, qualitative versus semi-quantitative (order of
magnitude) results, manpower required, and traceability.
Although not required under the PSM Rule, DOE contractors may want to consider performing PrHAs on
processes using large volumes of hazardous chemicals that do not appear in the Appendix A list. In addition,
contractors may want to consider conducting PrHAs on processes containing/using quantities of listed HHCs
that are just below TQ requirements for coverage under the PSM Rule.
DOE-HDBK-1100-96
PROCESS SAFETY
INFORMATION
DOCUMENTS GENERATED
|
|
.: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
:
PRIORITIZED LIST OF
I
Gather available process safety information
on covered processes
....
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ;
to develop/update
information and
compare with available
resources. Increase
resources if necessary
...................
. . . . . . . . . . . . . . . ...
:
PLAN WITH STAFFING AND
FUNDING REQUIREMENTS
:
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .: . .
Start here for each
process hazard analysis
Develop/update missing
or outdated process
safety information
.: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PROCESS HAZARD
ANALYSIS REPORT, WITH
:
. . . . . . . . . . .ACTION
. . . . . . . . . . . . . . . . . . . . ITEMS
. . . . . . . . . . . . . . . . . .LIST
. . . . . . . . . . . . .:. . .
:
:
.................................................................
::
APPROVED PROCESS
HAZARD ANALYSIS
:. . . . . . . . . . . . . . . . . . . . . REPORT
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . :...*
(File and retain)
J Review/approve process
hazard analysis report and
action items
K Address action items
DOE-HDBK-1100-96
After a prioritized list of processes is developed, a plan for PrHAs can be established. This
plan must follow the minimum schedule in the PSM Rule, listed in Section 2.2.1, with no less
than one-fourth of the PrHAs completed by May 26, 1994 and one-fourth completed each
succeeding year. All PrHAs must be completed by May 26, 1997. However, the PSM Rule
also states that PrHAs are to be done "as soon as possible, but no later than [the following
schedule...]." This point is stated explicitly in the OSHA inspector's compliance guidelines,
so it must be demonstrated that scheduled PrHAs were completed before the annual deadlines
and that no intentional delays were incorporated into the PrHA schedule. For example, a
large site might have mostly office and laboratory facilities, and only two processes covered
by the PSM Rule. If manpower is available to conduct two PrHAs in parallel within the first
year, then the PrHA schedule should not be extended over a 3-year period.
TAS K C: S ELECT A PrHA METHOD FOR EACH PROCES S.
The
manpower required to conduct a PrHA depends on many factors, including the review method
selected, the training and experience of the review team, the extent and complexity of the
process, its instrumentation and controls, and whether the process is a procedure-oriented
operation (such as a batch reaction) or a continuous operation (such as petroleum refining).
In addition, reviews and updates of existing PrHAs tend to be less time consuming than initial
analyses. Guidance for estimating PrHA time requirements is given for each review method
in Sections 4.1 to 4.6.
Based on the analysis methods selected in Task C, the status of existing PrHAs, and the time
requirements for the methods reviewed in Sections 4.1 to 4.6, the manpower requirements for
PrHAs, and reviews and updates, can be estimated. Comparing these requirements with
available personnel indicates where additional staffing may be needed, either on a temporary
or longer-term basis.
TAS K F: ASSEMBLE THE PrHA TEAM AND TRAIN THE TEAM MEMBERS .
Regardless of the
method selected, the PSM Rule requires all PrHAs to be performed by a team. This team is
an ad hoc committee, formed solely to conduct a PrHA for an assigned process. It is
disbanded after the analysis, including documentation, has been completed.
The review team must have expertise in engineering and process operations, and at least one
team member must have experience and knowledge specific to the process being evaluated.
9
DOE-HDBK-1100-96
If the process is a new design, the experience requirement may be satisfied by bringing in a
person from a sister plant or from a similar or precursor process. In addition, at least one
member of the team must be knowledgeable in the hazard analysis methodology being used
(see note at the end of Section 1.0).
All team members should be familiar with PrHA objectives, the PrHA method to be used, and
their roles in performing the PrHA. A 1- or 2-hour overview at the beginning of the first
team review session is generally sufficient for this purpose. However, the more demanding
PrHA methods, such as fault tree analysis (FTA), require more training and/or a greater depth
of experience than less-rigorous methods, such as what-if and checklist analyses.
TAS K G: S CHEDULE THE PrHA s .
10
DOE-HDBK-1100-96
improve the PSM program. The team should then finalize the report. The approval of the
final PrHA report by operating management is a commitment by management to implement
all action items. Section 5.2 addresses the PrHA review process.
TAS K K: ADDRES S THE ACTION ITEMS .
3.2
This section presents "how-to" approaches for subjects common to all PrHA methods. The
PSM Rule requires that every PrHA include these activities.
A process hazard is an inherent chemical or physical characteristic with the energy potential
for damaging people, property, and/or the environment. The key word in this definition is
potential. In a process or system, hazards are not always obvious. Energy may be stored in
many different forms, including chemical (reactivity, flammability, corrosivity, toxicity),
mechanical (kinetic, potential) and thermal.* Hazards exist whenever a system is above or
below an ambient energy level, regardless of how the energy is stored. For example, for the
process parameter of pressure, the ambient condition is atmospheric pressure. The higher the
system pressure is above atmospheric, the greater the stored energy and the greater the hazard.
A system pressure below atmospheric (i.e., a vacuum) can also pose hazards, such as the
potential for collapse of a storage tank.
Table 3.4 presents a list of hazards commonly found in process operations, grouped according
to how energy is stored. It can be used as a starting point to develop a checklist
Nuclear energy, another source of hazards at DOE facilities, is not addressed in this document.
11
DOE-HDBK-1100-96
for identifying process hazards. However, the list is not exhaustive. Thus, a PrHA team may
have to augment it as they consider the unique hazards of the process they are analyzing.
The following five steps should be taken to help identify hazards.
1.
List all obvious hazards. Most processes include a number of hazards that are
already fully recognized, such as the flammability of propane or the inhalation
toxicity of chlorine.
2.
3.
4.
5.
Document the identified hazards. The PrHA report should list identified hazards
in tabular form and/or discuss each hazard briefly in the text. Doing both is
preferred. New or previously unidentified hazards should receive particular
attention and discussion.
The parts of an accident event involving a process operation are shown in Figure 3.3. Each
sequence of failures and conditions leading to an accident is a unique scenario. Every
accident scenario starts with an initiating event or cause, which is a mechanical failure,
operational error, external event, or other condition that causes normal operation to be
interrupted or changed. Initiating events can lead to process deviations. For example, failure
of a cooling water pump (initiating event) may result in loss of cooling to a process involving
an exothermic reaction. A deviation occurs when the process temperature exceeds the upper
limit of the normal operating temperature for the reaction stage. If the deviation
12
DOE-HDBK-1100-96
FORM OF
ENERGY
CHEMICAL
ENERGY
ASSOCIATED HAZARD(S)
Ability to self-polymerize
Uncontrolled polymerization
Shock-sensitivity
Thermal instability
Rearranging ability
Pyrophoricity
Flammability
Combustibility
Peroxidizing ability
Water-reactivity
Acidity or causticity
Toxicity
13
DOE-HDBK-1100-96
ASSOCIATED HAZARD(S)
Elevated temperature
(continued)
THERMAL
ENERGY
(continued)
PRESSUREVOLUME
ENERGY
POTENTIAL
(POSITIONAL)
ENERGY
KINETIC
ENERGY
(MATERIAL
TRANSFER)
ELECTROMAGNETIC
Elevated electromagnetic
radiation levels
ELECTRICAL
ENERGY
Elevated voltage
14
DOE-HDBK-1100-96
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAA
AAAA
AAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
combustible;
NH
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
3 AAAAAAAAAA
AAAA
AAAA
AAAA
AAAAAAAA
AAAAAAAA
AAAAAA
AA
AAAAAAAAAAAAAAAAAA
AAAA
AAAAvapor;
AAAAAAAAAA
toxic
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
anhydrous
AAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAAAA
AAAAAA
AA
AAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAA
cryogenic
AAAA
AAAAAAAAAAAAAA
AAAA
AAAAAAAAAA
ammonia
AAAA
AA
AAAAAAAA
AA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAA
AA
liquid
spillAAAA
AAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAA
AAAAAA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAA
AA explosive
AAAA
AAAAAAAAAAAAAA
AA
oxidizer;
ClAAAA
AAAA
AAAA
2 AAAA
AAAAAAAA
AAAA
AAAAAAAA
AAAAAA
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAA
AAAAAAAAAAAAAAAAAA NCl formed AAAA
AAAAvapor;
AAAAAAAAAA
toxic
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
3
chlorine
AAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AA
AAAAAAAAAAAAAAAAAA with excess AAAA
AAAAAAAAAAAAAA
cryogenic
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAA
AA
AAAA
AAAA
AAAA
AAAAAAAAAAAAAA chlorine or
AAAAspill
AAAAAAAAAA
AAAA
AAAA
liquid
AAAA
AAAAAAAAAA
AAAA
AAAAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAA
AAAA
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAA
AA heat
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAA
AA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AA
AA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAA
AAAA
AAAAAAAAAAAAAA heat
AAAA
AAAAAAAA
AAAAAA
heat
strong
acid;
HF
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAA
AAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AA
generation, AAAA
corrosive;
AAAA
AA generation,
AA
AAAA
AAAA
AAAA
AAAA
anhydrous
AAAAAAAAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAA
AAAA
AAAAAAAAAAAAAAAAAA liberating
AAAA
AAAAvapor
AAAAAAAAAA
AA
liberating
toxic
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
hydrogen
AAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAA
AA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
toxic
vapors
toxic
vapors
and
liquid
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
fluoride
AAAA
AAAA
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAA
AA
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAA
AA
A
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAAAAAA
AAAAAAAA
AAAAAA
heat
fire,
heat
flammable;
C4AAAA
H6AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AAAAAAAAAAAAAAAAAA generation,
AAAAAAAAAAAAAA
toxic gas
generation, AAAA
peroxidizes;
AAAA
AAAA
AAAA
1,3AAAA
AAAAAAAA
AAAAAAAA
AAAAAA
AA
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAAA
AAAAAAAA
AAAA
AAAA
AA violent
AAAA
AAAA
AAAA
AAAA
generation
violent
polymerizes;
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAAAA
AAAA
AA
butadiene
AAAAAAAAAAAAAAAAAA
AAAA
AAAA
AAAAAAAAAAAAAAAAAA polymerizaAAAA
AAAAAAAA
AAAAAAAA
AAAAAA
polymerizadecomposes
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAA
AAAAAA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
tion
tion
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AAAAAAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAAAAAAA
A
AAAAAAAA
AA
AA
AAAAAAAAAA
AAAAAAAA
AAAAAA
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAA none
AAAAAAAA
AAAAof
AAAAAA
AAAAAAAA
AAAA
iron/chlorine
hydrogen
none
material
AAAA
AAAA
AAAA
AA
AAAA
AA
FeAAAA
, etc.
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAAAAAA
AAAA
AAAAAA
AAAAAAAA
AAAAAAAA
AAAAAA
AAAA
AA predicted
AAAA
AA
fire if above blistering
predicted
construction
carbon
steel
AAAA
AAAA
AAAA
AAAA
AAAAAAAA
AAAAAAAA
AAAAAA
AAAAAAAA
AAAAAAAA
AAAAAA
AAAA
AA
AAAA
AA
AAAAAAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
250C
(or
between
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAA
AAAA
AA
AAAAAAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAA
AAAA
AA
100C with
steel
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AA
AAAAAAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
impurities)
laminations
AAAAAAAA
AAAAAAAAAA
AAAA
AAAA
AAAA
AAAAAAAA
AAAAAAAA
AAAAAA
AAAAAAAAAAAAAAAAAAAA
AAAAAAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAAAAAAAAAAAA
AAAA
AA
AAAA
AAAAAAAAAAAAAAAAAA heat
AAAA
AA
AAAA
none
heat
antioxidant
none
elevated
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAAAAAA
AAAAAAAA
AAAAAA
H
O
2AAAAAAAAAAAAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AA
AAAAAAAAAAAAAAAAAA generation,
AAAA
AAAA
AAAA
AAAA
AA
predicted
generation,
consumed,
predicted
pressure,
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
150#
steam
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AA
AAAAAAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
liberating
liberating
leading
to
temperature
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAA
AAAAAAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAAAAAAAAAA
AAAAAAAA
AAAAAA
AA toxic vapors
AAAA
AAAA
AAAA
AAAA
AA
toxic vapors polymerizaAAAA
AAAA
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAA
AA
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
tion
AAAA
AAAAAAAAAA
AAAAAA
AA
AAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AA
AAAAAAAAAAAAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAAAAAAAAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
A
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
combined AAAA
AAAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AA
NH
ClAAAA
HFAAAA
C4AAAA
H6 AAAA
FeAAAA
, etc.
H2AAAA
O AAAA
3 AAAA
2
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
A
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AA
AAAA
AA
AA
A
AAAA
AA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
with... AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
A
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
anhydrous
chlorine
anhydrous
1,3steel
150#
steam
AAAA
AA
AAAA
AAAAAA
AAAAAA
A carbon
AAAA
AAAAAA
AA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
A
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
A
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
ammonia
hydrogen
butadiene
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
A
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
A
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
A
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
fluoride
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
A
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
A
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
A
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
A
AAAA
AAAA
AAAA
AAAA
AA
AAAA
AAAA
AAAA
AAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AA
NOTE: Descriptions along diagonal are properties of materials by themselves.
All potential material interactions should be examined for incompatibilities. Even if process materials
are relatively non-hazardous when considered independently, some potentially dangerous interactions
may occur when materials are combined. Interactions between process chemicals, containment
materials, and other materials with which the chemicals come in contact can be examined in pairs by
using an interaction matrix.
15
DOE-HDBK-1100-96
16
DOE-HDBK-1100-96
proceeds uncorrected, loss of control can lead to an accident event, such as a vessel rupture
explosion. Various protection systems, such as alarms, interlocks, and emergency relief
systems, may be employed to keep the accident event from occurring.
3.2.3 Review Previous Incidents
The PSM Rule requires all PrHAs to address "any previous incident which had a likely
potential for catastrophic consequences in the workplace," 29 CFR 1910.119(e)(3)(ii). An
incident is an unplanned event that may or may not result in injuries and/or loss. For
example, an incident might involve a flammable gas leak that does not ignite. An accident,
on the other hand, is an unplanned event that actually leads to personal injury, property
damage, environmental damage, and/or business interruption losses, such as the ignition of a
flammable gas leak resulting in burns and fire damage.
Previous accidents and incidents involving a process under study must be reviewed as part of
the PrHA. The importance of reviewing accident and incident records is discussed in the
anatomy of a process accident outlined in the preceding section (see Figure 3.3). Incidents
can indicate what could happen if protection systems, which are not totally reliable, do not
work. Thorough incident investigations may also indicate root causes of initiating events and
protective system failures and thus suggest action items to improve safety-management
systems. Incident records also help show the likelihood of failures and operational errors.
3.2.4 Analyze Controls and Control Failures
Process safety is the successful elimination or control of process hazards over the lifetime of a
process. Engineering and administrative controls must be in place to keep process parameters
within safe operating limits and to prevent challenges to system integrity. A PrHA addresses
engineering and administrative controls applicable to process hazards, as well as the
interrelationship of these controls, by identifying and documenting the process safety levels.
For example, the safety levels to keep a deviation from becoming an accident should be
documented in the protection (or safety levels) column of a HAZOP study worksheet when
that method is employed. The levels of protection to keep the accident from occurring are
included in a FTA as protective system branches which come together with initiator branches
at AND logic gates.
As examples of engineering and administrative controls, the PSM Rule lists "appropriate
application of detection methodologies to provide early warning of releases." For systems
handling toxic materials, detection methodologies are generally m itigation systems that reduce
the severity of consequences after an accident occurs.
Most PrHA methods study protection systems but do not explicitly study mitigation systems.
FTA looks at all events and combinations of events that could lead to a top event, such as
explosions or toxic releases, but does not study the severity of the top event's consequences.
To fully comply with the PSM Rule, it may be necessary to include in the PrHA report an
analysis of m itigation systems that are in place to reduce the severity of consequences of
accidents.
17
DOE-HDBK-1100-96
The PSM Rule requires facility siting to be addressed in all PrHAs. For a new facility,
fulfilling this requirement can involve an analysis of plant layout and spacing between process
units. However, most PrHAs are performed on existing facilities. For existing facilities,
PrHAs should include the severity of consequences of potential accidents involving co-located
workers and adjacent facilities. Shielding, barricades, escape routes, control room location,
and control room design for employees involved in the operation of the process should also
be discussed. In addition, the impacts of vehicular traffic and of adjacent operations should
be considered.
It may be desirable to discuss facility siting issues at the beginning of the PrHA sessions. As
a minimum, comments and assumptions about siting and plant layout can be included in the
PrHA analysis documentation, such as on HAZOP study worksheets. Table 3.2 provides a
sample checklist for worker/co-located worker exposures. A sample checklist for facility
siting issues is presented in Table 3.3.
Table 3.2. Checklist for Worker Exposures
PROCESS WORKER
OTHER WORKERS
18
DOE-HDBK-1100-96
1
2
3
4
5
6
7
8
9
10
Control Room
11
12
13
14
Process Facilities
15
16
17
18
19
20
Loading/Unloading
and Storage Facilities
21
22
23
24
Fire Protection
25
26
27
Accident Mitigation
28
29
30
31
32
33
34
35
Personnel Protection
36
37
19
DOE-HDBK-1100-96
Regardless of the PrHA methodology, the team evaluates each accident scenario to determine
whether design and/or operating changes are needed to further protect onsite workers. These
judgments are usually based on risk rather than on either likelihood of occurrence or severity
of consequences. For example, an event such as a seal water leak may be quite likely, but if
the consequences are negligible, no safety-improvement recommendations are warranted.
Similarly, if the consequences of a given accident are severe but the likelihood of occurrence
is remote, then no safety-improvement recommendations may be warranted.
Qualitative evaluation often places the risk associated with each accident scenario into one of
three categories: (a) the risk is too high, or a code violation is uncovered, such that design
and/or operating changes are clearly warranted; (b) the risk is trivial or negligible, such that
changes are clearly not warranted; or (c) the risk is borderline, and the decision is not clearcut. In the last case, closer examination is needed to better define the accident scenario itself,
its likelihood of occurrence, or the severity of its consequences. This closer examination can
take the form of field inspections, examination of historical records, operator interviews,
material testing, consequence modeling, and/or the use of more rigorous analysis methods,
such as quantitative FTA.
20
DOE-HDBK-1100-96
3.3
Presentation of Results
The critical results of a PrHA are a list of action items. Action items are written by the
PrHA team any time additional effort is warranted to further analyze a specific accident
scenario, eliminate the hazard, or reduce risks. Action items are not usually specific
corrective actions. Rather, they alert management to potential problems that require action.
Sometimes, action items suggest alternatives or recommend safety improvements. However,
if a problem is simple, if a PrHA team is quite experienced, or if there is only one solution,
an action item may recommend a specific corrective action.
All action items are presented to management for review and evaluation, and for
determination of what, if any, corrective actions should be taken to eliminate hazards or
reduce risks. Because many action items may be generated during a PrHA, the team may
choose to rank the items according to the probability of occurrence and/or the severity of the
consequences of their corresponding accident scenarios.
If the PrHA team is quite experienced, they may rank the action items according to the
anticipated time and resources needed to implement changes. Or the team may make safety
improvement and implementation recommendations. Ranking of action items or safety
improvement recommendations may be valuable to management in several ways. It shows the
significance that the PrHA team places on each item. It also allows management to prioritize
the immediate efforts of corrective action and resolution. If resources are scarce, the ranking
may affect the implementation schedule.
22
DOE-HDBK-1100-96
The PSM Rule allows the use of several PrHA methods. DOE contractors
should select the most appropriate methods for each facility or process and provide the
rationale for their selections. Sometimes a combination of methods may be most appropriate.
The selection of a PrHA method depends on many factors including the size and complexity
of the process and existing knowledge of the process. Has the process been in operation for a
long time with little or no innovation, and has extensive experience been generated with its
use? Or is the process new, or one that has been changed frequently by the inclusion of
innovative features? All PrHA methods are subject to certain limitations. Because PrHAs
depend on good judgment, assumptions made during a PrHA must be documented,
understood, and retained for future PrHAs.
Sections 4.1 through 4.6 below discuss the PrHA methods identified specifically in the PSM
Rule. They are preceded by two example processes (see Figures 4.1 and 4.2) that are
referenced in discussions of methods and used to show a step-by-step approach. Three steps
common to all methods are preparing for the analysis, performing the analysis, and
documenting the results. All the basic information needed about the methods is included in
this document, but there are numerous publications that provide additional information and
examples.
4.1
Checklist Analysis
A checklist analysis is used to verify the status of a system. This analysis method is
described in detail in Guidelines for Hazard Evaluation Procedures (CCPS, 1992).
The checklist analysis method is versatile, easy to use and can be applied at any stage in the
life of a process. It is primarily used to indicate compliance with standards and practices. It
is also a cost-effective way to identify common and customarily recognized hazards.
Checklists also provide a common basis for management review of assessments. Many
organizations use standard checklists to control the development of a process or an entire
project from initial design through decommissioning. The completed checklist must be
approved by all relevant staff members and managers before a project can move from one
stage to the next.
23
DOE-HDBK-1100-96
1: DOCK 8 HF SUPPLY SYSTEM.* The dock 8 HF supply system is designed to supply gaseous HF, under pressure, to a fluid
bed reactor to produce uranium tetrafluoride. The gaseous HF is created by heating and vaporizing anhydrous liquid HF that is brought to
the system in large portable cylinders. The vaporizer room is heated and has an exhaust fan in the wall near the roof. When the system is in
operation, the nitrogen (N2) pressurization system supplies 30-psig nitrogen to the top of the HF cylinder. The cylinder, which contains about
850 pounds of anhydrous HF when full, is on a calibrated scale and is connected to the nitrogen and HF piping systems by pigtail
connectors. The nitrogen pressure forces liquid HF to the vaporizer, which is heated by a hot water blanket supplied by a water heater and
circulating pump. The liquid HF is heated to its vaporization temperature at the desired pressure, and the resulting gaseous HF is directed to
the fluid bed reactor, regulated at 25 psig.
The designed safety system components in the HF feed station are the nitrogen pressure regulator and the nitrogen overpressure relief valves.
To provide overpressure protection for the vaporizer, relief valves are fitted to piping connected to the top of the vaporizer and supply
cylinder. A rupture disc, with a rupture pressure rating somewhat higher than the relief valve setting, is provided upstream of each of the
relief valves to protect the valves from continuous exposure to the corrosive HF environment. Between the rupture disc on the vaporizer and
the relief valve is a pipe tee to a manual vent with a block valve near the discharge. This valve can be opened manually to relieve pressure
between the rupture disc and relief valve or to vent the system during maintenance. A pressure gage is attached to the vent line upstream of
the block valve. A plastic hose is connected to the vent line pipe to direct vent gas to a plastic collection bottle. The collection bottle
normally contains water that covers the end of the vent line hose to absorb vent fumes/vapors.
24
DOE-HDBK-1100-96
2: COOLING WATER CHLORINATION SYSTEM. The cooling water chlorination system is designed to provide chlorination to the
basin of a cooling water system to prevent biological growth in the cooling water. Chlorine is provided from the vapor side of a 1-ton
cylinder. Pressure is reduced from the cylinder (normally 80 psig at 70F) to 15 psig at the rotameter. The rotameter is adjusted manually to
provide an average flow rate of 2.5 to 3.0 pounds per hour to the pressure check valve. To operate properly, the chlorine gas supply must be
reduced to zero so that the vacuum from a venturi may draw a controlled amount of chlorine into the water stream. A pressure check valve
performs this function. Gas under pressure enters the pressure check valve. Its pressure is reduced to less than atmospheric as the gas passes
through two valves which do not open unless a vacuum is present on the downstream side. If the first valve passes gas when a vacuum is
not present, the second valve remains closed and contains the gas pressure in the unit. If the second valve also passes gas, the built-in
pressure relief valve permits this gas to pass out of the vent. A small pump recirculates water through the venturi creating the vacuum for
the chlorine and delivering chlorinated water to the basin. The pump's nominal flow rate is 30 gallons per hour.
25
DOE-HDBK-1100-96
A checklist analysis uses a written list of items or procedures to verify the status of a system.
Checklists may vary widely in level of detail, depending on the process being analyzed.
A traditional checklist analysis uses a list of specific items to identify known types of
hazards, design deficiencies, and potential accident scenarios associated with common process
equipment and operations. The method can be used to evaluate materials, equipment, or
procedures. Checklists are most often used to evaluate a specific design with which a
company or industry has a significant amount of experience, but they can also be used at
earlier stages of development for entirely new processes to identify and eliminate hazards that
have been recognized through operation and evaluation of similar systems. To be most
useful, checklists should be tailored specifically for an individual facility, process, or product.
4.1.2 Analysis Procedure
Performing a checklist analysis requires access to engineering design procedures and operating
practices manuals and must be performed by a team with appropriate expertise. An
experienced manager or staff engineer should review the results and direct follow-up actions.
S ELECTING OR DEVELOPING A CHECKLIS T.
26
DOE-HDBK-1100-96
Storage Tanks
Dikes
Emergency Valves
Inspections
Procedures
Specifications
Limitations
PERSON N EL PROTECTION
Protection
Ventilation
Exposures
Utilities
Hazards Manual
Environment
Controls
Calibration, Inspection
Alarms
Interlocks
Relief Devices
Pumps
Ducts
Conveyors, Mills
Procedures
Piping
Emergencies
Process Isolation
Instruments
W ASTE D ISPOSAL
Procedures
Ditches
Conformance
Loss of Utilities
Vessels
Identification
Relief Devices
Review of Incidents
Inspections, Tests
Hazards
Electrical
Operating Ranges
Ignition Sources
Compatibility
Safety Margins
Vents
Characteristics
SAMPLIN G FACILITIES
Sampling Points
Procedures
Samples
Analysis
MAIN TEN AN CE
Decontamination
Vessel Openings
Procedures
FIRE PROTECTION
Fixed Protection
Extinguishers
Fire Walls
Drainage
Emergency Response
Source: Burk, 1992.
27
DOE-HDBK-1100-96
Operating limits
Modes of plant start-up, shutdown, construction, inspection and maintenance, trigger events and
deviations of system
Hazardous conditions
attributes or operating characteristics do not match the specific desired features on the
checklist, the analysts note the deficiency.
A checklist analysis made prior to construction is usually performed during a PrHA team
meeting. It focuses on review of the process drawings, completion of the checklist, and
discussion of the deficiencies.
DOCUMENTING THE RES ULTS . Qualitative results of checklist analyses vary, but generally the
analysis produces the answers "yes," "no," "not applicable," or "needs more information."
The checklist should be included in the PrHA report. The PrHA team should summarize the
deficiencies noted during the walkthroughs and/or meetings. Understanding these deficiencies
usually leads to the development of a list of possible safety improvement alternatives for
managers to consider, or a list of identified hazards and a set of suggested actions.
Any engineer with knowledge of the subject process should be able to use a checklist.
Because the PSM Rule requires a team approach, more than one analyst should be involved in
preparing the checklist and applying it to the process. The results of the analysis should be
reviewed by an independent analyst.
An estimate of the time required to perform a PrHA using the checklist analysis method is
given in Table 4.4.
28
DOE-HDBK-1100-96
8
9
10
PREPARATION
EVALUATION
DOCUMENTATION
Simple/Small
System
2 to 4 hours
4 to 8 hours
4 to 8 hours
Complex/Large
Process
1 to 3 days
3 to 5 days
2 to 4 days
When derived from handbooks or similar sources, many entries in a checklist may not be
applicable to the process being studied. In other cases, process hazards may be so unusual
they are not in standard checklists. Thus, it may be difficult to assure that all hazards have
been analyzed. Also, checklists may indicate that hazards exist, but not what accident
scenarios are associated with them.
29
DOE-HDBK-1100-96
Simplified checklist analyses for the two example processes in Section 4.0 are shown in
Tables 4.5 and 4.6. The same checklist was used for both processes.
4.2
What-If Analysis
30
DOE-HDBK-1100-96
Do all raw materials continue to conform to original specifications? Yes. The cylinders are
ordered with the same anhydrous HF specification used since startup.
Is each receipt of material checked? No. There have been no problems with the supplier, so
no such check has been considered. Investigate consequences of receiving material other than
HF. Consider adding such checks on HF receipts.
Does the operating staff have access to Material Safety Data Sheets? Yes. All staff are
familiar with the process chemistry, including the hazards of HF.
Is fire fighting and safety equipment properly located and maintained? Yes.
EQUIPMENT
Has all equipment been inspected as scheduled? Yes. The maintenance personnel have
inspected the equipment in the process area according to company inspection standards.
Given the corrosivity of HF, inspections may have to be more frequent.
Have pressure relief valves been inspected as scheduled? Yes.
Have rupture discs been inspected (for having blown) as scheduled? Yes. Though none have
failed, procedure calls for inspection of rupture disc and installation after maintenance.
Are the proper maintenance materials (parts, etc.) available? Yes. They include spare pigtails
for the supply cylinders as well as properly rated rupture discs. Other items must be ordered.
PROCEDURES
31
DOE-HDBK-1100-96
Do all raw materials continue to conform to original specifications? Yes. The drums are
ordered with the same chlorine specification used since startup.
Is each receipt of material checked? Yes. The supplier once sent a cylinder of phosgene.
Since then, a test is performed by the maintenance staff. In addition, the fusible plugs are
inspected for evidence of leakage, before a cylinder is hooked up.
Does the operating staff have access to Material Safety Data Sheets? Yes. All staff are
familiar with the process chemistry, including the hazards of Cl2.
Is fire fighting and safety equipment properly located and maintained? Yes. This system is
on a concrete building roof. Because there are no flammable materials involved in this
system, if a fire occurs, there will be no special effort by fire fighting crews to concentrate on
the roof area.
EQUIPMENT
Has all equipment been inspected as scheduled? Yes. The maintenance personnel have
inspected the equipment in the process area according to company inspection standards.
Have pressure relief valves been inspected as scheduled? Yes.
Have rupture disks been inspected (for having blown) as scheduled? Not applicable.
Are the proper maintenance materials (parts, etc.) available? Yes. They include spare pigtails
for the supply cylinders, as well as a rotameter and a pressure check valve. Other items must
be ordered.
Is there an emergency cylinder capping kit? Yes.
PROCEDURES
32
DOE-HDBK-1100-96
and interviews should be scheduled before the analysis begins. Finally, some preliminary
what-if questions should be prepared to "seed" the team meetings. If the analysis is an update
of a previous PrHA, then questions listed in previous reports can be used. For a new process
or a first-time application, preliminary questions should be developed by team members
before the meetings, although additional questions formulated during the meetings are
essential. The cause-and-effect thought process used in other types of analyses described in
this section, such as HAZOP studies and FMEAs, can help formulate questions.
PERFORMING THE ANALYSIS . The scope of the study should be agreed upon by the team members.
The analysis meetings should begin with a basic explanation of the process by operations staff
who have overall facility and process knowledge, plus expertise relevant to the team's area of
investigation. The presentation should also describe the facility's safety precautions, safety
equipment, and health control procedures.
The meetings then revolve around potential safety issues identified by the analysts. The
analysts are encouraged to voice any potential safety concern in terms of questions that begin
with "what-if." However, any process safety concern can be voiced, even if it is not phrased
as a question. For example:
"I wonder what would happen if the wrong m aterial was delivered."
"W hat if Pum p Y seals begin to leak?"
"W hat if valve X fails open?"
The questions may address any off-normal condition related to the facility, not just component
failures or process variations. The questions are formulated based on PrHA team member
experience and applied to existing drawings and process descriptions. The team generally
proceeds from the beginning of the process to its end, although the PrHA team leader can
order the analysis in any logical way he or she sees fit, such as dividing the process into
functional systems. Or the leader may direct the review to begin with the introduction of feed
material and follow the flow until the end of the process. The questions, and eventually the
answers (including hazards, consequences, engineered safety levels, and possible solutions to
important issues), are recorded by the team member designated as "scribe," so that they can
be viewed by all team members.
The questions may be divided into specific areas of investigation usually related to
consequences of interest, such as electrical safety, fire protection, or personnel safety. Each
area is subsequently addressed by a team of one or more knowledgeable individuals. The
team answers each question and addresses each concern (or indicates a need for more
information) and identifies the hazard, potential consequences, engineered safety levels, and
possible solutions. During the process, any new what-if questions that become apparent are
added. Sometimes the proposed answers are developed by individuals outside the initial
meeting, and then presented to the team for endorsement or modification.
For example, given the question:
"W hat if the HF cylinder fails because of corrosion?",
33
DOE-HDBK-1100-96
the team would attempt to determine how the process would respond:
"A cylinder leak would release HF to the atm osphere and eventually result in a
loss of HF feed to the vaporizer."
The team might then recommend checking with the supplier regarding cylinder inspection
practices.
The team should not be rushed, and meetings should last no longer than 4 to 6 hours per day.
What-if team meetings that last more than 5 consecutive days are not desirable. If a process
is complex or large, it should be divided into smaller segments so that the team does not
spend several consecutive days just listing questions.
DOCUMENTING THE RES ULTS .
Date:
CONSEQUENCE
SCENARIO
PAGE:
of
COMMENTS
34
DOE-HDBK-1100-96
The PSM Rule requires that a what-if analysis be performed by a team with expertise in
engineering and process operations. It must include at least one employee experienced in the
process, and one knowledgeable in the use of the analysis method. For simple processes, two
or three people may be assigned to perform the analysis. However, larger teams may be
required for more complex processes. When a large team is required, the process may be
divided logically into smaller pieces, and a subset of the team may analyze each piece.
The time and cost of a what-if analysis are proportional to the number and complexity of the
processes being analyzed. Table 4.8 presents estimates of the time needed to perform a
PrHA using the what-if analysis method.
Table 4.8. Approximate Time Requirements for W hat-If Analyses
(a)
SCOPE
PREPARATION (a)
EVALUATION
DOCUMENTATION (a)
Simple/Small
System
4 to 8 hours
4 to 8 hours
1 to 2 days
Complex/Large
Process
1 to 3 days
3 to 5 days
1 to 3 weeks
The what-if analysis is a powerful PrHA method if the analysis team is experienced and well
organized. Otherwise, because it is a relatively unstructured approach, the results are likely to
be incomplete.
4.2.5 Example What-If Analyses
Partial what-if analyses for the two example processes described in Section 4.0 are shown in
Tables 4.9 and 4.10. Although for actual, more complex analyses, the what-if tables for each
line or vessel would be separate, for these examples, a single table was developed. A
preliminary hazard analysis (PHA) would identify that the intrinsic hazards associated with
HF are its reactivity (including reactivity with water, by solution), corrosivity (including
carbon steel, if wet), toxicity via inhalation and skin contact, and environmental toxicity. The
N2 supply system pressure is not considered in this example. The specific effects of loss of
containment could be explicitly stated in the "loss of HF containment" scenarios identified.
Similarly, the effects of loss of chlorine containment, including the reactivity and toxicity of
chlorine, could be specified for the second example.
35
DOE-HDBK-1100-96
4.3
What-If/Checklist Analysis
The what-if/checklist analysis method combines the creative, brainstorming features of the
what-if analysis with the systematic features of the checklist analysis. The PrHA team uses
the what-if analysis method to brainstorm the types of accidents that can occur within a
process. Then the team uses one or more checklists to help fill in any gaps. Finally, the
team members suggest ways for reducing the risk of operating the process. The what-if
analysis encourages the PrHA team to consider potential accident events and consequences
that are beyond the experience of the authors of a good checklist and, thus, are not covered
on the checklist. Conversely, the checklist lends a systematic nature to the what-if analysis.
Normally, a what-if/checklist analysis is used to examine the potential consequences of
accident scenarios at a more general level than some of the more detailed PrHA methods. It
can be used for any type of process at virtually any stage in its life cycle. However, this
method is generally used to analyze the more common hazards that exist in a process.
4.3.2 Analysis Procedure
PREPARING FOR THE ANALYSIS .
36
DOE-HDBK-1100-96
D ATE:
PAGE:
__ of __
SCENARIO
COMMENTS
None.
None.
2a
2b
None.
3a
CONSEQUENCES
... the dock and this equipment HF release to atmosphere via vent
is involved in a fire?
OR
SAFETY LEVELS
3b
Possible large pipe and pipe component
failures due to corrosion.
Relief valve, rupture disc.
Possible vaporizer rupture with further
release and blast effects, worker injured by
blast or scalded.
... moisture is introduced into
the HF cylinder via the N2
supply?
None.
4a
4b
HF solution attacks carbon steel,
corrosion, leak or rupture, possible worker
exposure via inhalation and skin, possibly
fatal.
37
DOE-HDBK-1100-96
D ATE:
CONSEQUENCES
SAFETY LEVELS
SCENARIO
None.
None.
Procedure: sampling of
contents on receipt.
38
PAGE:
__ of __
COMMENTS
DOE-HDBK-1100-96
D ATE:
CONSEQUENCES
SAFETY LEVELS
SCENARIO
PAGE:
__ of __
COMMENTS
None.
Prevention: supplier's
procedures.
Chlorine release.
None.
None.
Periodic inspection.
None.
6a
6b
None.
39
DOE-HDBK-1100-96
For the checklist portion of the analysis, the PrHA team leader obtains or develops an
appropriate checklist for the team to use. This list need not be as detailed as those used for a
standard checklist analysis. Rather than focusing on a specific list of design or operating
features, the checklist used here should focus on general hazardous characteristics of the
process.
DEVELOPING WHAT- IF QUES TIONS .
Combining the what-if and checklist analysis methods emphasizes their main positive features
(i.e., the creativity of what-if analysis and the experience-based thoroughness of a checklist
analysis) while at the same time compensating for their shortcomings when used separately.
For example, a traditional checklist is, by definition, based on the process experience the
author accumulates from various sources. The checklist is likely to provide incomplete
insights into the design, procedural, and operating features necessary for a safe process. The
what-if part of the analysis uses a team's creativity and experience to brainstorm potential
accident scenarios. However, because the what-if analysis method is usually not as detailed,
systematic, or thorough as some of the more regimented approaches (e.g., HAZOP study,
FMEA), use of a checklist permits the PrHA team to fill in any gaps in their thought
process.
40
DOE-HDBK-1100-96
4.3.4 Staffing Needs and Time
The number of individuals needed depends upon the complexity of the process and, to some
extent, the stage at which the process is being evaluated. Normally, a PrHA using this
method requires fewer people and shorter meetings than does a more structured method such
as a HAZOP study. Estimates of the time needed to perform a PrHA using the what-if/
checklist analysis method are shown in Table 4.11.
Table 4.11. Approxim ate W hat-If/Checklist Analysis Time Requirements
SCOPE
PREPARATION (a)
EVALUATION
DOCUMENTATION (a)
Simple/Small
System
6 to 12 hours
6 to 12 hours
4 to 8 hours
Complex/Large
Process
1 to 3 days
4 to 7 days
1 to 3 weeks
To fill in the gaps in the standard what-if analyses given as examples in Section 4.2, the
checklists used for the examples in Section 4.1 were used here. The resulting what-if/
checklist analyses for the two example processes are shown in Tables 4.12 and 4.13. The
tables show only additional scenarios identified by applying the checklist.
41
DOE-HDBK-1100-96
CONSEQUENCES
D ATE:
SAFETY LEVELS
PAGE:
__ of __
COMMENTS
Possible rupture of HF
cylinder with personnel
exposure to HF and blast
effect, possibly fatal.
None.
None.
42
DOE-HDBK-1100-96
CONSEQUENCES
D ATE:
SAFETY LEVELS
None.
43
PAGE:
__ of __
COMMENTS
DOE-HDBK-1100-96
4.4
The HAZOP study was developed to identify hazards in process plants and to identify
operability problems that, although not hazardous, could compromise a plant's productivity.
The basic concept behind HAZOP studies is that processes work well when operating under
design conditions. When deviations from the process design conditions occur, operability
problems and accidents can occur. The HAZOP study method uses guide words to assist the
analysis team in considering the causes and consequences of deviations. These guide words
are applied at specific points or sections in a process and are combined with specific process
parameters to identify potential deviations from intended operation.
4.4.1 Description of the Method
A HAZOP study requires considerable knowledge of the process, its instrumentation, and its
operation. This information is usually provided by expert team members. The team should
include individuals with a variety of experience, including design, engineering, operations, and
maintenance.
The primary advantages of a HAZOP study are creativity and new ideas. Creativity is the
result of interactions among team members with diverse backgrounds. Such interactions often
generate new ideas. The success of a HAZOP study depends on the freedom of members to
freely express their views. Combining this approach with a systematic protocol for examining
hazards promotes thoroughness and accuracy.
4.4.2 Analysis Procedure
A HAZOP study has three steps: (1) defining the process, (2) performing the study, and
(3) documenting the results. Defining the process and documenting the results can be
performed by a single person. The study itself must be performed by a team.
DEFINING THE PROCES S TO BE S TUDIED .
DOE-HDBK-1100-96
If too much of a process is included in a single study node, deviations may be missed. If too
little of a process is included, the study can become tedious. In addition, root causes of
deviations and their potential consequences can become separated. Too many study nodes is
common for novice HAZOP study leaders. On the positive side, a study with too many nodes
is less likely to miss scenarios than one with too few nodes.
The HAZOP team examines each study node for potentially hazardous process deviations.
First, the design intent is defined to delineate the purpose of the equipment and the process
parameters. Process deviations are determined by combining guide words with the important
process parameters. The established set of guide words is shown in Table 4.14.
Table 4.14. Guide W ords for HAZOP Studies
GUIDE WORD
MEANING
EXAMPLES
None of
Negation of Intention
More of
Quantitative Increase
Less of
Quantitative Decrease
Part of
Qualitative Decrease
As well as
Qualitative Increase
Reverse
Logical Opposite
Reverse flow.
Sequential process steps performed in reverse
order.
Other than
Complete Substitution
45
DOE-HDBK-1100-96
The process parameters and example deviations typically used in a HAZOP study are shown
in Table 4.15. Additional process parameters can be added if warranted. One purpose of the
guide words is to assure that all relevant deviations of process parameters are evaluated.
Table 4.15. Exam ple HAZOP Study Process Parameters and Deviations
PROCESS
PARAMETER
PROCESS
PARAMETER
DEVIATION
DEVIATION
Flow (rate)
No flow
High flow
Low flow
Reverse flow
Time
Too
Too
Too
Too
long
short
late
soon
Flow (quantity)
Too much
Too little
Sequence
Omit a step
Steps reversed
Extra step
Pressure
High pressure
Low pressure
pH
High pH
Low pH
Temperature
High temperature
Low temperature
Viscosity
High viscosity
Low viscosity
Level
High level/overflow
Low level/empty
Heat Value
Mixing
Phases
Extra phase
Phase missing
Composition
Component missing
High concentration
Low concentration
Location
Additional source
Additional destination
Wrong source
Wrong destination
Purity
Impurities present
Catalyst deactivated/
inhibited
Reaction
No reaction
Too little reaction
Too much reaction
Reaction too slow
Reaction too fast
The following are examples of deviations created using guide words and process parameters.
Guide Word
No
More
Other than
Parameter
+
+
+
Deviation
Flow
Temperature
Location
46
=
=
=
No flow
High temperature
Wrong location
DOE-HDBK-1100-96
In the first example, the guide word "No" combined with the process parameter "Flow" results
in the deviation "No flow." Considering this deviation, the study team agrees on its possible
causes (e.g., operator error causes block in pump), the consequences of the deviation (e.g.,
line rupture due to high pressure), and the safety levels which prevent the cause from leading
to the consequence (e.g., pressure relief valve on pump discharge line). The consequence
specified presupposes the failure of active protection systems (e.g., relief valves, process trip
signals). If the causes and consequences are significant, and the safety levels are inadequate,
the team may recommend a follow-up action. In some cases, the team may identify a
deviation with a realistic cause but unknown consequences (e.g., an unknown reaction
product) and recommend follow-up studies to determine the potential consequences.
The HAZOP study should be performed in a deliberate, systematic manner to reduce the
possibility of omissions. Within a study node, all deviations associated with a given process
parameter should be analyzed before the next process parameter is considered. All of the
deviations for a given study node should be analyzed before the team proceeds to the next
node.
DOCUMENTING THE RES ULTS . The documentation of a HAZOP study is a systematic and
consistent tabulation of the effects of process deviations. The study generates narratives about
the normal operating conditions and analysis boundary conditions for each equipment item.
In addition, it provides a list of potential actions that should be evaluated. Table 4.16 is an
example of a HAZOP study worksheet. A typical HAZOP study report should include a brief
system description, a list of drawings or equipment analyzed, the design intents, the HAZOP
study tables, and a list of actions items.
47
DOE-HDBK-1100-96
D ATE:
DEVIATION
CAUSE
CONSEQUENCE
48
SAFETY LEVELS
SCENARIO
PAGE:
__ of __
COMMENTS/
ACTIONS
DOE-HDBK-1063-95
Table 4.17. Time Estimates for Using the HAZOP Study Method
(a)
(b)
SCOPE
PREPARATION (a)
EVALUATION
DOCUMENTATION
Simple/Small
System
8 to 12 hours
1 to 3 days
2 to 6 days(b)
Complex/Large
Process
2 to 4 days
1 to 4 weeks
2 to 6 weeks
Primarily team leader and scribe, although others may work during this phase.
Team leader and scribe only. May be shorter for experienced scribes using computer software in the HAZOP study meetings.
Source: CCPS, 1992.
Staff requirements for HAZOP studies vary with the size and complexity of the process.
Time and cost are proportional to the size of the process being analyzed and the experienceof
the study leader and team members. Table 4.17 presents estimates of the time needed to
perform a PrHA using the HAZOP study method (CCPS, 1992). Study sessions should be
limited to 3 consecutive days.
4.4.4 Limitations of the Hazard and Operability Study
The primary limitation of a HAZOP study is the length of time required to perform it.
Because the study is designed to provide a complete analysis, study sessions can be intensive
and tiring.
HAZOP studies typically do not look at occupational hazards (e.g., electrical equipment,
rotating equipment, hot surfaces) or chronic hazards (e.g., chronic chemical exposure, noise,
heat stress).
4.4.5 Example Hazard and Operability Studies
Partial HAZOP studies for the example processes described in Section 4.0 are shown in
Tables 4.18 and 4.19. A complete example of a HAZOP study can be found in Reference 10.
49
DOE-HDBK-1100-96
Table 4.18. Example HAZOP Study for the Dock 8 HF Supply System
LINE/VESSEL: HF Supply Line To Vaporizer
GUIDE
WORD
No
DEVIATION
No flow
CAUSE
DATE:
CONSEQUENCE
SAFETY LEVELS
Low flow
COMMENTS/
ACTION
No known protection.
Line rupture
None
No Action: Unlikely
event; piping protected
against external impact.
Insufficient HF supply to
B-1 process; consequence
unknown.
No known protection.
Same as #1
More
Reverse
__ of __
SCENARIO
Less
PAGE:
High flow
None
High temperature
Over-pressure; HF release;
possible injuries/fatalities.
Low temperature
Cold weather
Backflow to HF
inlet line
None
6
Local temperature
indication on water
heating loop.
50
No action: Unlikely
event.
DOE-HDBK-1100-96
Table 4.19. Example HAZOP Study for the Cooling Water Chlorination System
LINE/VESSEL: Cooling W ater Chlorination System
G UIDE
WORD
None
DEVIATION
No flow chlorination loop
CAUSE
D ATE:
CONSEQUENCE
SAFETY LEVELS
SCENARIO
Pump failure.
Loss of electric power to
pump.
Chlorination pump
malfunction alarm.
None identified
More
None identified
Reverse
Backflow - in
chlorination loop
None identified
None
No flow - chlorine to
chlorination loop
51
__ of __
ACTION
Less
P AGE:
DOE-HDBK-1100-96
4.5
A FMEA is used to examine each potential failure mode of a process to determine the effects
of the failure on the system. A failure mode is the symptom, condition, or fashion in which
hardware fails. It may be identified as a loss of function, a premature function (function
without demand), an out-of-tolerance condition, or a physical characteristic, such as a leak,
observed during inspection. The effect of a failure mode is determined by the system's
response to the failure.
4.5.2 Analysis Procedure
A FMEA has three steps: (1) defining the process, (2) performing the analysis, and (3)
documenting the results. Defining the process for study and documenting the results can be
performed by a single person. The analysis itself must be performed by a team.
DEFINING THE PROCES S. This step identifies the specific vessels, equipment, and instrumentation
to be included in the FMEA and the conditions under which they are analyzed. Defining the
problem involves establishing an appropriate level of resolution for the study and defining the
boundary conditions for the analysis.
The required level of resolution determines the extent of detail needed in a FMEA. The
choices for the level of resolution range from the subcomponent level to the system level. To
satisfy PSM Rule requirements, most FMEAs should be performed at the major component
level. This level provides the best trade-off between the time necessary to perform the
analysis and the usefulness of the information gained from it.
Defining the analysis boundary conditions requires the following.
1.
2.
3.
4.
5.
6.
Functional narratives about the system or process should include descriptions of the expected
behavior of the system or process and the equipment components for each operational mode.
Narratives should describe the operational profiles of the components and the functions and
outputs of each.
52
DOE-HDBK-1100-96
To assist in the review, block diagrams should be constructed which illustrate the operation,
interrelationships, and interdependencies of functional components for each equipment item.
All interfaces should be indicated in these block diagrams.
PERFORMING THE ANALYSIS .
53
DOE-HDBK-1100-96
Severity Class. The severity of the worst consequence should be specified as follows.
Category I
Catastrophic
Category II
Critical
Category III
Marginal
Category IV
Minor
Remarks/Actions. For each identified failure mode, the PrHA team should suggest actions for
reducing its likelihood or mitigating its effects. The actions suggested for a particular piece
of equipment may focus on the causes or effects of specific failure modes or may apply to all
of the failure modes collectively.
If the team discovers that a single item failure is not detectable, the FMEA should be
extended to determine if the effects of a second failure in combination with the first could
have catastrophic consequences. When a safety, redundant, or back-up component is
evaluated, the analysis should consider the conditions that generated the need for the
component.
DOCUMENTING THE RES ULTS . A FMEA generates a qualitative, systematic reference list of
equipment, failure modes, and effects. The results of a FMEA are usually listed in tabular
format, by equipment item. Table 4.20 shows a typical worksheet used in performing a
FMEA. For each equipment item, the failure modes for that item and, if desired, the root
causes for that failure mode are identified. For each failure mode, a worst-case estimate of
the consequences is identified. This worst-case estimate assumes the failure of all protection
against both the failure itself and the undesired consequences of the failure. The method by
which the failure is detected is specified along with any compensating provisions. Finally,
any suggestions for improving safety are listed in the table.Staffing Needs and Time
The PSM Rule requires that a FMEA be performed by a team, all of whose members
participate in the analysis. The most practical means of performing the FMEA is to prepare
blank worksheets on viewgraphs or on a large display screen. For each equipment item, the
PrHA team reaches a consensus on its failure modes and their causes, effects, detection
methods, compensating provisions, severity (if desired), and any remarks or action items.
Staff requirements for a FMEA vary with the size and complexity of equipment items being
analyzed. The time and cost of a FMEA is proportional to the size of the process and
54
DOE-HDBK-1100-96
PAGE:
PLAN T:
SY STEM:
ITEM:
REFEREN CE:
FAILU RE
MOD E
CAU SE(S)
OPERATION AL
MOD E
of
FAILU RE
D ETECTION
METHOD
FAILU RE EFFECTS
55
COMPEN SATIN G
PROVISION S
SEVERITY
CLASS
REMARKS/
ACTION S
DOE-HDBK-1100-96
Table 4.21. Tim e Estim ates for Using the Failure Mode and Effects Analysis Method
SCOPE
PREPARATION
EVALUATION
DOCUMENTATION
Simple/Small
System
2 to 6 hours
1 to 3 days
1 to 3 days
Complex/Large
Process
1 to 3 days
1 to 3 weeks
2 to 4 weeks
Human operator errors are not usually examined in a FMEA, but the effects of human error
are indicated by an equipment failure mode. FMEAs rarely investigate damage or injury that
could arise if the system or process operated successfully. Because FMEAs focus on single
event failures, they are not efficient for identifying an exhaustive list of combinations of
equipment failures that lead to accidents.
4.5.4 Example Failure Mode and Effects Analyses
Partial FMEAs for the example processes described in Section 4.0 are shown in Tables 4.22
and 4.23.
56
DOE-HDBK-1100-96
12/30/92
PAGE:
PLAN T:
Y-12 Plant
SY STEM:
ITEM:
REFEREN CE:
FAILU RE
MOD E
Valve open
too far
CAU SE(S)
Internal
valve malfunction.
Operator
error.
Calibration
error.
OPERATION AL
MOD E
Operation
FAILU RE
D ETECTION
METHOD
FAILU RE
EFFECTS
High N2 pressure at
HF cylinders, HF
vaporizer - HF
vaporizer vessel
rupture - HF released
to environment.
Local pressure
indication on
N2 line.
Local pressure
indication
between rupture
disk and PRV4 at vaporizer.
High HF flow to HF
vaporizer - high HF
flow to B-1 wing potential liquid HF to
B-1 wing.
of
COMPEN SATIN G
PROVISION S
PRV-3 at V-13
outlet.
SEVERITY
CLASS
REMARKS/
ACTION S
II
If N2 line relief
valves lift,
vaporizer relief
valve should
not lift.
PRVs on N2 feed
lines to HF
cylinders.
Relief valve
discharges
piped to Dwing stack.
PRV-4 at HF
vaporizer.
Valve closed
too far
Internal
valve malfunction.
Operator
error.
Calibration
error.
Operation
No N2 pressure to HF
cylinder - no HF flow
to HF vaporizer, B-1
wing.
Local pressure
indication on
N2 line.
None
IV
External
leakage
Valve seal
leakage.
Operation
Waste on N2.
Audible
None
IV
If severe, same as
"valve closed too far."
Local pressure
indication on
N2 line, if
severe.
57
DOE-HDBK-1100-96
Table 4.23. Partial FMEA for the Cooling Water Chlorination System
D ATE:
1/4/93
PAGE:
PLAN T:
ITEM:
FAILURE
MODE
SY STEM:
Pressure Check Valve
CAUS E(S)
REFEREN CE:
OPERATIONAL
MODE
Operation
One or both
internal pressure
valves fail closed
Operation
Chlorine flow
Internal relief
to environment valve sticks open
Operation
Both internal
pressure valves
fail open and
relief valve opens
of
FAILURE
DETECTION
METHOD
FAILURE
EFFECTS
Rotameter
Rotameter
Daily testing of
cooling water
chemistry
Daily testing of
cooling water
chemistry
58
COMPENS ATING
PROVISIONS
S EVERITY
CLAS S
REMARKS/
ACTIONS
Relief valve on
Pressure check valve
outlet
III
None
Automatic
temperature
controllers at most
heat exchangers
IV
None
III
Action Item:
Consider
venting relief
valve above
ground level
DOE-HDBK-1100-96
4.6
A FTA has four steps: (1) defining the system or process, (2) constructing the fault trees,
(3) analyzing the fault trees, and (4) documenting the results. To meet PSM Rule
requirements, defining the process for study, performing the analysis, and documenting the
results can be performed by a single person. The construction of the fault trees must be
performed by a team.
59
DOE-HDBK-1100-96
AND Gate
OR Gate
INHIBIT Gate
DELAY Gate
INTERMEDIATE
Event
60
DOE-HDBK-1100-96
BASIC Event
UNDEVELOPED
Event
EXTERNAL or
HOUSE Event
TRANSFER IN/OUT
Symbols
61
DOE-HDBK-1100-96
DEFINING THE PROCES S.
This step identifies the specific top event or events to be evaluated and
the boundary conditions under which they are analyzed. Boundary conditions include the
following.
Unallowed Events
Existing Conditions
Other Assumptions
Physical system boundaries encompass the equipment, the interfaces with other processes, and
the utility/support systems to be analyzed. Along with the physical system boundaries,
analysts should specify the levels of resolution for fault tree events reflecting failures of both
equipment and support systems (i.e., major component level, subcomponent level, system
level, and subsystem level). For example, analysts may set the level of resolution at the
subsystem level (electrical bus, cooling loop) for support systems.
Other boundary conditions are the initial equipm ent configuration or the initial operating
conditions. Initial conditions reflect the initial state of all components and support systems
that are included in the FTA. This boundary condition describes the system in its normal,
unfailed state.
Unallowed events are those that are considered to be incredible or that, for some other reason,
are not to be considered in the analysis. For example, wiring failures might be excluded from
the analysis of an instrument system. Existing conditions are, for the purposes of the FTA,
events or conditions considered certain to occur. The unallowed and existing conditions do
not appear in the fault tree, but their effects must be considered in developing other fault
events as the fault tree is constructed.
Because a broadly scoped or poorly defined top event can lead to an inefficient analysis, the
top event should be precisely defined to show the "what," "when," and "where" of the
accident. Accordingly, analysts may specify other assum ptions, as necessary, to define the
system or process to be analyzed. For example, analysts may assume that the process is
operating at 100 percent of normal capacity.
CONS TRUCTING THE FAULT TREE.
Fault tree construction begins at the top event and proceeds, level
by level, until all fault events have been traced to their basic contributing events or basic
events. The analysis starts with a review of system requirements, function, design,
environment, and other factors to determine the conditions, events, and failures that could
contribute to an occurrence of the undesired top event. The top event is then defined in terms
of sub-top events, i.e., events that describe the specific "whens and wheres" of the hazard in
the top event. Next, the analysts examine the sub-top events and determine the immediate,
necessary, and sufficient causes that result in each of these events. Normally, these are not
basic causes, but are intermediate faults that require further development. For each
intermediate fault, the causes are determined and shown on the fault tree with the appropriate
logic gate. The analysts follow this process until all intermediate faults have
62
DOE-HDBK-1100-96
been developed to their fault causes. The fault causes, or basic events, include equipment
failures, human response errors, and initiating events.
Table 4.25. M inim al Cutset Docum entation
TOP EVENT:
CUTSET
Date:
CONSEQUENCE
SCENARIO #
Page:
COMMENTS
Although the construction of fault trees is not typically done by team approach, to meet the
PSM Rule requirement, all members of a PrHA team should provide input during the
construction of fault trees. The PrHA team can meet in a room with a large chalkboard or
roll of paper and assign one person to draw the fault trees. The team can come to a
consensus on the type (AND, OR) and inputs for each fault-tree gate, and the gates can then
be added to the fault tree drawing. However, because FTA develops a model of a system, it
is fundamentally not a consensus method. If there is disagreement in the tree construction,
then it is likely that the process is not well understood.
Using FTA requires a detailed understanding of how a process or system functions, detailed
drawings and procedures, and knowledge of component failure modes and effects. The team
leader should be well trained and experienced in constructing fault trees.
63
DOE-HDBK-1100-96
Time and cost requirements for a FTA depend on the complexity of the process being
analyzed and the level of resolution. With an experienced team, modelling a single top event
involving a simple process could require one day or less. Complex processes or large
systems with many potential accident events could require many weeks or months, even with
an experienced analysis team. Table 4.26 presents estimates of the time needed to perform a
PrHA using the FTA method.
Table 4.26. Tim e Estim ates for Using the Fault Tree Analysis Method
SCOPE
PREPARATION
MODEL
CONSTRUCTION
QUALITATIVE
EVALUATION
DOCUMENTATION
Simple/Small
System
1 to 3 days
3 to 6 days
2 to 4 days
3 to 5 days
Complex/Large
Process
4 to 6 days
2 to 3 weeks
1 to 4 weeks
3 to 5 weeks
FTA is designed to develop the logical combinations of failures required to cause a given
event to occur. It is not an efficient, straightforward, practical method for identifying the
hazards present in most systems or processes, nor does it necessarily promote a more practical
understanding of the hazards, which is the intent of the PSM Rule.
Partial FTAs for the example processes described in Section 4.0 are shown in Figures 4.3
and 4.4.
64
DOE-HDBK-1100-96
65
DOE-HDBK-1100-96
Figure 4.4. Example FTA for the Cooling Water Chlorination System
66
D0E-HDBK-1100-96
5.0 REPORTING AND REVIEW OF ANALYSES
5.1
The format of PrHA documents must conform to the requirements of the PSM Rule and
existing guidance for DOE documentation. Two documents are required by the PSM Rule.
The first, the PrHA report, contains all necessary information except for a "...system to
promptly address the team's findings and recommendations; assure that the recommendations
are resolved in a timely manner and that the resolution is documented;..." That information is
separately documented, as discussed in Section 6.0 of this handbook. Two useful references
on the documentation of PrHAs are Freeman, 1991 and Hendershot, 1992.
TITLE PAGE AND TABLE OF CONTENTS .
S UMMARY OF RECOMMENDATIONS .
According to the PSM Rule, the scope of any analysis should include
receiving, storage, processing, and loading for delivery of any hazardous chemical covered
under the rule. The scope section of the report explains the extent of the treatment of each
part of the process. It may or may not include support systems, depending on their inherent
hazards and/or interactions with the process.
REVIEW OF PREVIOUS INCIDENTS .
67
D0E-HDBK-1100-96
IDENTIFIED HAZARDS . The identification of hazards is discussed in Section 3.0. This section
should present the hazards as identified. It may consist of or include the MSDSs for the
chemicals involved (see Section 2.1.1).
ANALYSIS METHODOLOGY . The PrHA method and the justification for selecting it are presented
here. It is not necessary to describe the method if it is listed in the PSM Rule (e.g., what-if,
checklist, HAZOP study, FMEA, FTA). If any other method is used, it must be described,
and the reason for its selection must be presented.
ANALYSIS TEAM.
A list of the team members, their roles, and brief biographical sketches are
included here. Because the PSM Rule requires a team approach, this section should
demonstrate that the PSM team requirements were met. These requirements include expertise
in engineering and process operations, experience and knowledge specific to the process being
analyzed, and knowledge of the specific hazard analysis method.
S UMMARY OF FINDINGS .
68
D0E-HDBK-1100-96
ANALYSIS DOCUMENTATION .
5.2
After completion, the PrHA report should be reviewed internally. The review starts with an
assessment of the team and its credentials. A technical review follows, focusing on the
completeness of the analyses and the traceability and understandability of the documentation.
OVERALL APPROACH TO THE PROCES S. Completeness of a PrHA depends on how methodical the
PrHA team is in its approach. Reviewers should ask the following.
Did the PrHA work its way through the process systematically, or did it "jump
around," overlooking important scenarios. Scenarios are harder to find if the
PrHA does not move methodically from one part of the process to the next.
Were all parts of the system considered? All hardware and procedures should be
considered, from the receipt of hazardous chemicals through their use in the
process. In addition, if process connections exist, material flowing into systems
where it is not designed to be should also be considered.
Were all stages and operating modes of the process considered? Review should
include analysis of procedures for material receipt and unloading, startup,
shutdown (emergency and normal), and transitioning to partial operation (e.g.,
100 percent to 500 percent production).
How long did it take to perform the PrHA? Too short a time could indicate lack
of thoroughness. Or the PrHA may have been dominated by one person.
Alternatively, the leader might have prepared the PrHA ahead of time and used
the meetings to confirm his work.
PROCES S DEVIATIONS . Not all PrHA methods specifically identify process deviations. However,
to review the PrHA scenarios for completeness, a reviewer can use process deviations such as
those listed in Table 5.1, combined with process parameters.
69
D0E-HDBK-1100-96
INCIDENT CAUS ES .
71
D0E-HDBK-1100-96
72
D0E-HDBK-1100-96
6.0 ESTAB LISHING A SYSTEM FOR RESOLVING ACTION ITEMS
AND IMPLEMENTING CORRECTIVE ACTIONS
The critical result of a PrHA is the list of action items developed by the PrHA team. Action
items are written any time the team thinks that additional effort is warranted to review further
a specific scenario, to eliminate a hazard, or to reduce risks. Usually, action items do not
recommend specific corrective actions. They are meant to alert management to potential
problems. Sometimes, action items may suggest alternatives to be considered. However, if a
problem is simple, if a PrHA team is quite experienced, or if there is only one obvious
solution, an action item may be written to recommend a specific corrective action.
The action items from a PrHA are presented to management for review and evaluation, and
for determination of what, if any, corrective actions should be taken to eliminate hazards or to
reduce risks through preventative, protective, or mitigative measures. Because many action
items may be generated during a PrHA, the team may choose to rank the action items
according to the probability of occurrence of their corresponding accident scenarios or the
severity of their consequences or both. If the PrHA team is quite experienced, it may also
choose to rank the action items based on the anticipated time and resources required to
implement changes.
6.2
Management can use a variety of criteria to select and prioritize corrective actions and safety
improvements. They include costs, other competing priorities, implementation schedules, the
effectiveness of risk reduction, and technical feasibility. These criteria, as well as
management decisions about corrective actions, must be documented. If after evaluating an
action item, management chooses to take no further action, that decision must also be
documented. In addition to requiring documentation of management decisions, the PSM Rule
requires a system to track implementation of corrective actions to be made.
73
D0E-HDBK-1100-96
6.3
All documentation and tracking information must be up to date, readily available, and easy to
audit.
Because all corrective actions and safety improvements are management decisions, they
should be implemented according to DOE Order 5480.19, "Conduct of Operations
Requirements for DOE Facilities."
74
D0E-HDBK-1100-96
7.0 UPDATING THE PROCESS HAZARD ANALYSIS
Each PrHA must be updated and revalidated at least every 5 years to make sure it accurately
reflects current processes and operating experiences.
7.1
Schedule
The order in which the initial PrHAs are performed is based on the level of perceived risk.
Initial PrHAs must be completed, at least, in increments of 25 percent, as shown in Table 7.1.
A 5-year review schedule should be based on the initial rankings. Following this schedule
means that PrHA updates are completed annually for at least one-fourth of the processes.
Table 7.1. PrHA Review Schedule
7.2
Initial PrHA
First Review
First 25%
Second 25%
Third 25%
Last 25%
Update Team
The PrHA update is performed by a team with expertise in engineering and process
operations. The team must include at least one member who has experience and knowledge
specific to the process, and one member who is knowledgeable in the PrHA method being
used. The team need not include the original PrHA team members, although it may be
helpful, for consistency, to include at least one original member. New team members,
however, may bring different perspectives to the update.
7.3
Approach
Members of the update team should review a copy of the initial PrHA and check completion
of action items. The team should thoroughly review current PSI and descriptions of all
process modifications made since the initial PrHA report was finalized. A thorough review of
the PSI is necessary to make sure that the PrHA incorporates any new hazardous materials,
process technologies, equipment, and/or operating procedures. Finally, the team should
review all findings and resolutions from the initial PrHA to assure that they have been
adequately addressed.
75
D0E-HDBK-1100-96
If the process has changed extensively, it should undergo a new analysis using a PrHA
method appropriate to its new configuration. If the process has not changed much, the
is updated considering the changes that were made. Any hazards that were overlooked
initial analysis or that resulted from process modifications are added to the PrHA. In
addition, "lessons learned" from other PrHAs should be incorporated where applicable.
some cases, scenarios may be omitted as a result of risk reduction measures. Updating
PrHA typically takes a third to a half of the time of the original analysis.
7.4
PrHA
in the
In
a
Documentation
The update team must develop a new PrHA report to document the scope and approach of its
analysis as well as any new hazards, scenarios, and action items. Justification must be
provided for removing any scenarios from the original PrHA. The report should receive close
scrutiny, both for compliance with the PSM Rule and for explanations of new action items.
Guidance for reporting the PrHA results is given in Section 5.1. The updated report is
submitted to management for review and approval, following the same procedure as an initial
PrHA.
The PSM Rule requires that PrHAs for all covered processes, along with documentation of
resolutions of recommendations, be retained for the life of the process.
76
D0E-HDBK-1100-96
8.0 RELATIONSHIPS OF PROCESS HAZARD ANALYSES TO OTHER DOE
REQUIRED HAZARD ANALYSES
These topics are the subject of DOE Standard DOE-STD-1027-92, "Hazard Categorization
and Accident Analysis Techniques for Compliance with DOE Order 5480.23 Nuclear Safety
Analysis Reports," which provides guidance for facility managers and Cognizant Secretarial
Offices (CSOs). They are also discussed in the DOE Standard DOE-STD-3009-94,
"Preparation Guide for U.S. Department of Energy Nonreactor Nuclear Facility Safety
Analysis Reports," which describes a SAR preparation method that is acceptable to DOE.
The requirements of DOE-STD-1027-92 are used as the basis for identifying the overlap of
nuclear facility safety analysis requirements with the requirements of the PSM Rule.
According to DOE-STD-1027-92, the level of hazard analysis required for a nuclear facility
SAR is determined by the facility's nuclear hazard classification as follows.
3 FACILITIES . Minimal hazard and accident analyses are required. The
PrHA should provide information to the safety analysis on release mechanisms, engineering
analysis, and consequence analysis.
Event Tree Analysis (ETA) is suggested by the DOE-STD-1027-92, but not included in the PSM Rule.
However, the PSM Rule does allow the use of "an appropriate equivalent methodology." Hence, if ETA is to
be used as the PrHA, the PrHA report must justify that the ETA method is appropriate and equivalent to the
methods listed in the rule.
77
D0E-HDBK-1100-96
1 FACILITIES . Fault tree/event tree analyses are required if the facility
is a large reactor. If the facility is not a reactor and a PSM Rule PrHA is required, the
analyses can be conducted as described for Nuclear Hazard Category 2 Facilities. Different
systems or processes within the facility may be analyzed using different methods. For
example, HAZOP studies may be used as the PrHA method for processes that contain
chemical hazards. Fault tree/event tree analyses may be used to analyze systems that do not
need to comply with the PSM Rule.
All documents required by the PSM Rule should be referenced and their significant findings
summarized in the SAR. References and summaries should include not only the results of the
PrHA, but also all documents concerning the resolution of the PrHA team's findings.
78
D0E-HDBK-1100-96
9.0 REFERENCES
Burk, Arthur F., 1992. "Strengthen Process Hazards Reviews," Chemical Engineering
Progress, June 1992, pp. 90-94.
Center for Chemical Process Safety (CCPS), 1992. Guidelines for Hazard Evaluation
Procedures, Second Edition with Worked Examples; Publication G18; American
Institute of Chemical Engineers, New York.*
Freeman, Raymond A., 1991. "Documentation of Hazard and Operability Studies,"
Plant/Operations Progress, July 1991, Vol. 10, No.3.
Hendershot, Dennis C., 1992. "Documentation and Utilization of the Results of Hazard
Evaluation Studies," prepared for presentation at the AIChE 1992 Spring National
Meeting, New Orleans, LA. Rohm and Haas Company, Bristol, PA.
Hummer, John J., John M. Googin, Ph.D, Michael W. Knazovich, Paul R. Wasilko, and
Janice West, 1992. "Report of Investigation of Accidental Release of Hydrogen
Fluoride from the Y-12 Plant Oak Ridge, Tennessee, January 24, 1992," Martin
Marietta Energy Systems, Inc., Oak Ridge, TN, March 1992.
King, Ralph, 1990. "Safety in the Process Industries," Butterworth-Heinemann, Ltd.,
1990.
U.S. Department of Defense, MIL-STD-882-C, "Military Standard System Safety
Program Requirements," Washington, DC, January 1993.
U.S. Department of Energy, DOE Order 5480.19, "Conduct of Operations Requirements
for DOE Facilities," Washington, DC, July 1990.
U.S. Department of Energy, DOE Order 5480.23, "Nuclear Safety Analysis Reports,"
Washington, DC, April 1992.
U.S. Department of Energy, DOE Order 5481.1B, "Safety Analysis and Review
System," Washington, DC, September 1986.
U.S. Department of Energy, DOE Standard, DOE-STD-1027-92, "Hazard Categorization
and Accident Analysis Techniques for Compliance with DOE Order 5480.23 Nuclear
Safety Analysis Reports," Washington, DC, December 1992.
79
D0E-HDBK-1100-96
U.S. Department of Energy, DOE Standard, DOE-STD-3009-94, "Preparation Guide for
U.S. Department of Energy Nonreactor Nuclear Facility Safety Analysis Reports,"
Washington, DC, July 1994.
U.S. Department of Energy, DOE Handbook, DOE-HDBK-1101-96, "Process Safety
Management for Highly Hazardous Chemicals," Washington, DC, February 1996.
U.S. Department of Energy, "Example Process Hazard Analysis of a Department of
Energy Water Chlorination Process," DOE/EH-0340, September 1993.
Title 29 Code of Federal Regulations (CFR) Part 1910, "Process Safety Management of
Highly Hazardous Chemicals; Explosives and Blasting Agents; Final Rule," February
24, 1992.
80
DOE-HDBK-1100-96
CONCLUDING MATERIAL
Review Activities:
DOE HQ
FIELD OFFICES
Preparing Activity:
DP
EH
EM
ER
NE
AL
ID
NV
Oakland
NV
RF
SR
DOE-EH-53
SS
PROJECT OFFICES
GJ
Project Number:
SAFT-0026